Rent-a-hacker site leaks Australian buyers’ names and addresses

A hackers for hire website appears to have been used by at least one Australian woman who wanted to figure out if her husband was cheating, a WA student trying to change their grades, and a NSW business trying to hack their rival to get their customer database.

The cat’s out of the bag for about 60 Australians who thought they could anonymously rent a hacker from a website to do their dirty work.

If you’ve used the hacker-for-hire site Hacker’s List to contract out a hack job then your name, address and the reasons why you sought a hacker are now available on the web, potentially exposing you to legal action.

Hacker’s List launched last November with the assurance that “only you and your hacker for hire know the details of your project”. A New York Times report in January highlighted that people across the world, from Sweden to Australia, were using it to anonymously request hacker services. Some jobs were legal, others were clearly not, such as one from an Australian who wanted to hack a business rival’s customer database.

Would-be buyers appear to have assumed that job descriptions they gave on the site couldn’t be linked to information that would reveal their identity. But last week security researcher Jonathan Mayer discovered the site was in fact leaking information that linked buyers’ names and addresses to job descriptions, which may ultimately reveal who they are and their motivation for seeking a hacker. It’s also culminated in a potentially embarrassing list that should make anyone think twice before hiring a hacker online.

Among thousands of job requests are tasks from dozens of Australians. Some simply wanted to regain access to their own accounts, while others wanted to change their grades. Not surprisingly, some wanted to spy on spouses.

“I believe my husband is cheating on me and I have no access to his phone and would [like] someone to hack into his whatsapp to confirm this,” one person wrote in November, offering between $300 and $500 for the job and listing a username and a NSW home address.

An enterprising user from Western Australia called “Jarmaa” sought a “semi-unethical hacker” to hack into the database behind the Tertiary Institutions Service Centre’s websitetisc.edu.au for between $100 to $1000.

“The hacking itself is not at the cost of anyone else and thus should be determined as ethical. It is simply to help someone beat a flawed system to advance in higher education,” wrote Jarmaa.

It’s unclear whether the hacking of the tisc.edu.au website was ever carried out.

Another person from NSW said they wanted a rival’s customer database. “I want to know who their customers are, and how much they are charging them…”

Rather than hacking Hacker’s List, Mayer used a web crawler to scour publicly available information on the site. He found that requests for the most part were unlawful and typically involved a jilted lover or a business dispute. The other major source of requests related to boosting grades.

NSW Police’s Commander of the Fraud & Cybercrime Squad, Detective Superintendent Arthur Katsogiannis, said if a criminal offence such as hacking had been committed in NSW using Hacker’s List, and it was reported to police, the police would investigate.

The type of jobs on offer on Hacker’s List won’t come as any surprise to professional IT security contractors, who typically draw the line at testing customers’ systems with permission as opposed to their customers’ rivals.

“We get a handful of calls each year from individuals who call us to see if we can either break into their account or into other people’s accounts. Some say their accounts have been hacked and want us to investigate, and some want us to break into others’ accounts who they believe are targeting them for personal and business reasons,” said Ty Miller, chief executive officer ofThreat Intelligence.

Miller also cautioned people against attempting to hire a hacker to their own dirty work.

“If an individual hires a hacker to perform illegal actions, such as hacking into an online account or breaching an organisation’s systems, then the employer and the hacker are guilty of the crime and can face fines or jail time.”

Under Australian law a person who commits a hacking offence faces between two and 10 years’ jail depending on the type of offence committed. Even if you hire someone to hack into a system and don’t do it yourself you can still get into trouble, as one Australian has discovered in 2001 after being sentenced to 450 hours of community service.

You also can’t hack into a system to recover your own data as that would constitute unauthorised access to a computer system, an offence that attracts jail time.